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Abstract 

We  present  a  new  protocol  for  verifiably  redistributing  secrets  from  an  (m,  n)  threshold  sharing  scheme  to 
an  ( m',n ')  scheme.  Our  protocol  guards  against  dynamic  adversaries.  We  observe  that  existing  protocols 
either  cannot  be  readily  extended  to  allow  redistribution  between  different  threshold  schemes,  or  have  vul¬ 
nerabilities  that  allow  faulty  old  shareholders  to  distribute  invalid  shares  to  new  shareholders.  Our  primary 
contribution  is  that  in  our  protocol,  new  shareholders  can  verify  the  validity  of  their  shares  after  redistribu¬ 
tion  between  different  threshold  schemes. 
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1  Introduction 


Threshold  cryptography  protocols  provide  fundamental  building  blocks  for  secure  distributed  computation 
and  the  safeguarding  of  secrets.  The  area  of  threshold  cryptography  has  been  studied  extensively  since  its 
introduction  by  Blakley  and  Shamir  [IBIa79L  Sha/9|. 

Two  categories  of  threshold  protocols,  proactive  secret  sharing  (PSS)  protocols  and  secret  redistribution 
protocols,  provide  enhanced  protection  against  dynamic  adversaries  t[K)Y91l]Y  PSS  protocols  |IKiM  Y97al 
IK  iM  Y97H  IHM  Y 99L IFM  YOU  IH.I  K  Y 9.YL  IH.T.T+97L  IKah9MI|  protect  against  an  adversary  through  periodic  up¬ 
dating  of  the  shares,  which  renders  old  shares  obtained  by  the  adversary  useless.  In  general,  PSS  protocols 
retain  the  same  threshold  scheme  before  and  after  updating.  Secret  redistribution  protocols  protect  against  an 
adversary  through  periodic  redistribution  of  shares  from  an  (m,  n)  threshold  sharing  scheme  to  an  (rn' .  n') 
scheme  [0.1971  l(i\1Y97a|.  without  requiring  the  intermediate  reconstruction  of  the  original  secret. 

To  prevent  faulty  shareholders  from  corrupting  the  shares  generated  by  a  PSS  or  redistribution  protocol, 
the  shareholders  must  verify  the  validity  of  their  shares  after  protocol  execution  (i.e.,  confirm  that  the  shares 
can  be  used  to  reconstruct  the  original  secret).  In  PSS  protocols,  shareholders  obtain  verification  information 
during  the  initial  distribution  of  shares,  and  update  the  information  after  updating  the  shares.  In  redistribution 
protocols,  new  shareholders  obtain  verification  information  from  the  old  shareholders. 

We  observe  that  the  verification  mechanisms  in  existing  protocols  have  the  following  shortcomings: 

•  The  mechanisms  in  PSS  protocols  cannot  be  readily  extended  to  allow  “updates”  between  different 
threshold  schemes  or  between  disjoint  sets  of  shareholders.  Thus,  these  protocols  cannot  respond  to 
the  permanent  removal  or  addition  of  a  shareholder. 

•  The  mechanisms  in  redistribution  protocols  have  vulnerabilities  that  allow  a  faulty  old  shareholder  to 
distribute  invalid  shares  to  new  shareholders. 

Our  study  is  motivated  by  the  application  of  redistribution  protocols  to  survivable  storage  systems 
|  WBS+OO.  WBP~  0  l  j.  A  survivable  storage  system  distributes  shares  of  files  (secrets)  across  a  set  of  storage 
servers.  The  system  redistributes  files  to  recover  from  the  compromising  of  servers  or  to  balance  file  access 
loads  upon  the  addition  of  new  servers. 

We  present  a  new  protocol  for  verifiable  secret  redistribution  (VSR)  from  an  (m,  n)  threshold  scheme  to 
an  (rn' ,  n')  scheme.  We  base  our  protocol  on  Desmedt  and  Jajodia’s  redistribution  protocol  [11  ).I97I|.  in  which 
new  shareholders  generate  shares  from  subshares  of  old  shares.  We  extend  their  protocol  with  Feldman's 
verifiable  secret  sharing  (VSS)  scheme  [IFelX7l|  to  enable  new  shareholders  to  verify  the  validity  of  their 
subshares  (i.e.,  confirm  that  the  subshares  can  be  used  to  reconstruct  old  shares).  However,  we  go  beyond 
a  naive  extension,  which  does  not  enable  new  shareholders  to  verify  that  they  have  received  subshares  of 
valid  old  shares.  To  achieve  complete  verification  in  our  protocol,  old  shareholders  broadcast  a  commitment 
to  the  secret  to  the  new  shareholders.  We  prove  that  the  new  shareholders  can  generate  valid  new  shares  if 
they  can  both  verify  the  validity  of  the  old  shares  and  verify  the  validity  of  the  subshares. 

The  primary  contribution  of  our  work  is  that  in  our  protocol: 

•  New  shareholders  can  verify  the  validity  of  their  shares  after  redistribution  between  different  threshold 
schemes. 


2  Related  work 

Blakley  and  Shamir  invented  secret  sharing  schemes  independently.  In  Shamir’s  (m,  n)  sharing  scheme 
[ISha  /9IJ.  the  interpolation  of  an  rn  —  1  degree  polynomial  from  m  of  n  points  yields  a  constant  term  in 
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the  polynomial  that  corresponds  to  the  secret.  In  Blakley’s  scheme  [IBIa79IJ.  the  intersection  of  m  of  n 
vector  spaces  yields  a  one-dimensional  vector  that  corresponds  to  the  secret.  Desmedt  surveys  other  sharing 
schemes  [II  Jes97l|. 

Feldman's  VSS  scheme  [IFelKVlJ  is  one  of  several  to  catch  a  dealer  that  attempts  to  distribute  invalid 
shares.  Chor  et  al  present  a  scheme  in  which  the  dealer  and  shareholders  perform  an  interactive  secure 
distributed  computation  [CC1MAB5].  Benaloh  IEE5E3],  Gennaro  and  Micali  [GJKR96,  GM95],  Goldreich 
et  al  |K  1M  WH7I].  and  Rabin  and  Ben-Or  [ikah94l  RB089]  propose  schemes  in  which  the  dealer  and  share¬ 
holders  participate  in  an  interactive  zero-knowledge  proof  of  validity;  the  scheme  of  Gennaro  and  Micali, 
and  that  of  Rabin  and  Ben-Or,  is  information-theoretically  secure.  Pederson  [IPed9  lij  presents  a  scheme,  like 
Feldman’s,  in  which  the  dealer  broadcasts  a  non-interactive  zero-knowledge  proof  to  the  shareholders.  Beth 
et  al  [IB  K(  )9BI|  present  a  VSS  scheme  for  monotone  access  structures  based  on  finite  geometries.  Our  VSR 
protocol  differs  from  previous  VSS  schemes  in  that  the  multiple  “dealers”  of  the  new  shares  (the  old  share¬ 
holders)  do  not  have  the  secret,  and  must  use  other  information  to  generate  a  proof  for  the  new  shareholders. 
Also,  each  new  shareholder  verifies  the  validity  of  the  subshares  distributed  by  the  old  shareholders,  and 
verifies  the  validity  of  the  shares  used  by  the  old  shareholders  to  generate  the  subshares. 

Frankel  et  al  |IGMY9/h.  IFM  Y 99L  PM YTTl ]  and  Rabin  |k ah98i|  propose  PSS  protocols  in  which  each 
shareholder  periodically  distributes  a  subshare  of  its  share  to  each  of  the  other  shareholders.  Each  share¬ 
holder  combines  the  received  subshares  to  generate  a  new  share.  A  drawback  of  these  PSS  protocols  is 
that  the  shareholders  rely  on  commitments  received  during  the  initial  distribution  of  the  secret  to  verify  the 
validity  that  their  generated  shares,  and  thus  one  cannot  redistribute  between  disjoint  sets  of  n  shareholders. 
Also,  the  commitments  depend  on  m  and  n,  and  thus  one  cannot  redistribute  from  an  (rn,  n)  to  ( m',n ') 
threshold  scheme.  Lastly,  the  protocols  build  upon  specific  threshold  schemes,  and  may  not  be  applicable  to 
a  general  class  of  schemes. 

Desmedt  and  Jajodia  [il  ).I97I|  present  a  secret  redistribution  protocol  that  does  not  require  the  intermedi¬ 
ate  reconstruction  of  the  original  secret.  We  present  the  details  of  their  protocol  in  Sec.  [1.2[  Their  protocol 
allows  redistribution  between  different  threshold  schemes,  and  between  disjoint  sets  of  shareholders.  Unfor¬ 
tunately,  a  compromised  old  shareholder  in  both  protocols  can  undetectably  distribute  “subshares”  of  some 
random  value  instead  of  subshares  of  a  valid  old  share.  New  shareholders  that  use  these  “subshares”  will 
generate  invalid  new  shares. 

Frankel  et  al  [FGMY97aj,  independently  of  Desmedt  and  Jajodia,  present  a  (proactive)  redistribution 
protocol  for  shares  of  a  private  key  in  a  public  key  cryptosystem.  The  protocol  involves  redistribution  of 
the  key  from  an  (m,  n)  to  (rn,  rn)  threshold  scheme,  followed  by  redistribution  to  an  (rn' ,  n')  scheme.  Each 
old  shareholder  broadcasts  a  commitment  to  its  share  when  it  distributes  the  subshares.  New  shareholders 
use  the  commitment  to  verify  the  validity  of  their  subshares.  However,  nothing  prevents  a  compromised  old 
shareholder  from  broadcasting  a  “commitment”  to  some  random  value.  Thus,  the  protocol  ultimately  suffers 
from  the  same  shortcoming  as  that  of  Desmedt  and  Jajodia. 

Other  researchers  present  secret  redistribution  protocols  that  do  not  involve  the  physical  redistribution 
of  shares.  Blakley  et  al  consider  threshold  schemes  that  disenroll  (remove)  shareholders  from  the  access 
structure  with  broadcast  messages  [IBBGM92I]:  the  new  shareholders  are  a  subset  of  the  old  ones.  Cachin 
proposes  a  secret  sharing  scheme  that  enrolls  (adds)  shareholders  in  the  access  structure  after  the  initial 
sharing  [K  ?ac95l| ;  the  new  shareholders  are  a  superset  of  the  old  ones.  Blundo  et  al  presents  a  scheme  in  which 
the  dealer  uses  broadcast  messages  to  activate  different,  possibly  disjoint,  authorized  subsets  |IR('S  V96l|. 
Blundo’s  scheme  requires  shareholders  to  have  a  share  regardless  of  whether  or  not  they  are  in  the  active 
authorized  subset,  in  contrast  to  Desmedt  and  Jajodia’s  scheme.  Our  VSR  protocol  alters  the  threshold 
scheme  by  physical  redistribution  of  shares,  and  allows  new  shareholders  to  verify  that  they  have  valid 
shares. 

Herzberg  et  al  [HJKY95,  H.T.T+97]  propose  a  PSS  protocol  for  Shamir’s  sharing  scheme  [ISha79IJ  in 
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which  each  shareholder  periodically  distributes  update  shares  to  all  other  shareholders.  Zhou,  Schneider, 
and  van  Renesse  propose  a  PSS  protocol  for  asynchronous,  wide-area  networks,  and  employ  it  in  an  on-line 
certification  authority  [ZSvROOl].  Our  VSR  protocol,  unlike  these  PSS  protocols,  can  redistribute  shares  to 
arbitrary  access  structures.  However,  we  assume  that  there  exist  reliable  broadcast  communication  channels 
among  all  participants  and  private  channels  between  every  pair  of  participants  in  our  protocol,  which  Zhou 
et  al  avoid  in  their  asynchronous  protocol. 

3  Cryptographic  building  blocks 

In  this  section,  we  outline  the  cryptographic  protocols  that  form  the  building  blocks  for  our  VSR  protocol. 
We  first  summarize  Desmedt  and  Jajodia’s  secret  redistribution  protocol  [1D.I97I]  for  linear  secret  sharing 
schemes,  and  then  summarize  Feldman’s  VSS  scheme  [IFelK7IJ. 

3.1  Mathematical  notation 

An  (rn,  n)  linear  threshold  scheme  is  an  algorithm  for  the  distribution  of  shares  of  a  secret  to  a  set  of  n 
shareholders  such  that  the  secret  is  a  linear  combination  of  the  shares  of  any  m  shareholders.  We  define  a 
secret  k  to  be  in  set  /C  of  secrets,  and  each  shareholder  i  to  be  in  the  set  V  (\P\  =  n )  of  shareholders.  To 
distribute  k,  we  generate  a  share  s,  for  each  i  G  V  with  a  polynomial  a(i ): 


m—  1 

Si  =  k+^2  adl  (!) 

i=i 

where  Si  is  in  the  set  5,  of  shares,  and  S,  is  in  the  set  S  of  share  sets.  For  linear  threshold  schemes,  S,  =  Sj 
for  all  i,j  <E  V.  To  reconstruct  k,  we  combine  -s,  from  all  i  in  an  authorized  subset  B  (\B\  =  rn)  of  TV 

k  =  (2) 

«e0 

B i  is  a  homomorphism  from  Si  to  /C;  we  aggregate  V,  into  the  set  B  of  homomorphisms.  For  linear  threshold 
schemes,  the  homomorphisms  are  multiplications  by  scalars  Bi  [1D.I971].  All  authorized  subsets  B  are  in  the 
access  structure  T-p.  We  represent  linear  threshold  schemes  with  the  tuple  {Tp,  /C,  S,  ?/;}. 

We  utilize  a  homomorphic  commitment  function  C(x)  [IHenS'/L  IFelR7l]  that  maps  from  plain-text  to 
cipher-text  and  is  hard  to  invert.  C{x)  is  such  that: 


C(a  +  b)  =  C(a)C(b) 

C{ax)  =  ( C(a))x  1 

3.2  Desmedt  and  Jajodia’s  secret  redistribution  protocol 

Desmedt  and  Jajodia  present  a  protocol  for  the  redistribution  of  shares  of  secrets  from  threshold  sharing 
schemes  without  requiring  the  intermediate  reconstruction  of  the  secret  [ID.I97IJ.  For  schemes  that  satisfy  the 
conditions  in  Fig.  |T|,  we  can  use  the  protocol  in  Fig.  0  to  redistribute  shares.  Suppose  we  have  a  set  V  of 
shareholders  i  that  have  shares  s,  of  a  secret  k  distributed  with  the  scheme  (Fp.  /C,  S,  B),  and  wish  to  redis¬ 
tribute  to  a  set  V'  of  shareholders  j  that  have  shares  s'  distributed  with  a  different  scheme  (r'p,,  /C.  S’,  B')- 
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To  achieve  this,  we  select  an  authorized  subset  B  £  T-p  and  use  an  intermediate  scheme  (Tp, .  <S,.<Sj,  ipj)  to 
distribute  subshares  Sj3  of  each  s,  of  i  £  B  to  each  j  £  V1,  where  the  set  S,  of  sets  of  subshares  is: 

Si  =  {sij:j€&,&  €Ttp'}  (4) 

and  the  set  t/ij  of  homomorphisms  from  S,  to  St  is: 

=  eTtp,}  (5) 

If  we  treat  st]  as  being  distributed  by  another  intermediate  scheme  (Tp.S'pS'p  xp'-)  (with  S}  and  ipj  defined 
similarly  to  S;  and  in  Eqns.  (jdj)  and  (Q)),  we  can  generate  s'  for  each  j  with  the  following  equation: 


=  (6) 

i£B 

The  correctness  of  the  protocol  depends  on  a  condition  that  the  homomorphisms  of  the  old,  intermediate, 
and  new  schemes  pseudo-commute.  Homomorphisms  x/jj,  ipp,  ipp  and  xpT  pseudo-commute  if: 


A  o  4>ij  =  il>j  °  fyi 


(7) 


1.  For  a  set  V  of  shareholders,  there  exists  a  linear  sharing  scheme  (T-p,  1C,  S,  ip)  such  that  each  i  £  V  has  received  a 
share  s;  6  5,  6  5  of  fc  6  1C. 

2.  For  each  i  £  V  there  exists  an  intermediate  linear  sharing  scheme  (F^,, ,  Si,Si,ipi)  for  the  distribution  of  subshares 
Sij  of  Si  to  each  j  £  V' ■ 

3.  For  all  x,  y  £  1C,  x  +  y  =  y  +  x. 

4.  For  each  i  £  B  £  Tp  and  j  £  B'  £  T'v,,  there  exist  homomorphisms  ipi,  ipij,  ipl,  and  ipC  that  pseudo-commute: 

ipi  °  phj  =ip'j°  Vji 

Figure  1:  Necessary  conditions  for  the  redistribution  of  shares  from  linear  sharing  schemes  [II  ).IS)7IJ. 
Desmedt  and  Jajodia’s  Secret  Redistribution  protocol: 

To  redistribute  k  from  the  (m,  n )  scheme  (Tp,  1C,  S,  ip}  to  the  (m1 ,  n')  scheme  {Tp* ,  1C,  S' ,  ip'}: 

1.  Select  an  authorized  subset  B  £  Tp.  Use  the  intermediate  scheme  (T'v, ,  Si,  Si,  ipi)  to  distribute  subshares  Sij  of 
each  share  st  of  i  £  B  to  each  j  £  V' . 

2.  For  each  j  £  V' ,  treat  Sij  as  if  distributed  with  another  intermediate  scheme  (F p,S),  S} ,ipj),  and  generate  s} : 

Sj  =  ^2 
ieB 

Figure  2:  Desmedt  and  Jajodia’s  secret  redistribution  protocol  for  linear  sharing  schemes  [IDJ97IJ. 
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3.3  Feldman’s  VSS  scheme 


Feldman  presents  a  scheme  that  shareholders  of  a  secret  can  use  to  verify  the  validity  of  their  shares  [IFelS’/IJ. 
Feldman  assumes  that  there  exists  a  homomorphic  commitment  function  C ( x )  that  is  hard  to  invert.  Given 
the  threshold  scheme  {r-p,  1C,  S,  ip},  the  dealer  of  the  secret  k  €  1C,  in  addition  to  sending  shares  Si  G  S, 
to  each  i  G  V,  broadcasts  C(k)  and  Cia,\ ) . . .  C(am- 1 )  (commitments  of  the  coefficients  of  the  polynomial 
a(i)  used  to  generate  .s,  j.  Each  i  then  verifies  that  st  is  a  valid  share  of  k  with  the  following  equation: 


m—  1 

C(Si)  =  C(k)  J]  C(atf  (8) 

i=i 

Eqn.  (|8|)  follows  from  Eqn.  (Q])  and  the  homomorphic  properties  of  Cix)  in  Eqn.  (|3|).  Since  Cix)  is  hard  to 
invert,  no  i  can  learn  k  from  the  broadcast  of  C(k).  We  summarize  Feldman’s  scheme  in  Fig.  |3|. 

4  The  VSR  protocol 

We  present  our  verifiable  secret  redistribution  protocol  for  secrets  distributed  with  linear  threshold  schemes. 
We  represent  the  (m,  n)  and  ( m ' ,  n')  schemes  with  {r-p,  1C,  S,  ip}  and  {rp/,  1C,  S' ,  ip'}  respectively.  We 
assume  that  there  exists  a  homomorphic  commitment  function  C{x )  that  is  hard  to  invert,  and  that  there 
exist  reliable  broadcast  communication  channels  among  all  participants  and  private  channels  between  every 
pair  of  participants.  We  also  assume  that  there  are  at  most  n  —  m  faulty  old  shareholders,  that  m>  f,  and 
that  there  are  n'  non-faulty  new  shareholders. 

The  initial  distribution  of  a  secret  (Initial  in  Fig.  0)  proceeds  as  in  Feldman's  VSS  scheme  [!Fel87l]. 
The  dealer  of  secret  k  G  1C  distributes  shares  Si  G  S,  to  each  shareholder  i  G  V,  using  the  polynomial  a(i) 
(Initial  step  1).  The  dealer  also  broadcasts  C(k),  C(ai) . . .  C(am'-i),  which  each  i  uses  in  Eqn.  (|8|)  to 
verify  the  validity  of  st  (Initial  steps  2  and  3).  If  Eqn.  (|8|)  holds,  i  stores  sr  and  C(k)  (Initial  step  4). 

Redistribution  of  the  secret  (Redist  in  Fig.  0)  proceeds  as  in  Desmedt  and  Jajodia’s  protocol  |QI371]. 
Each  i  in  an  authorized  subset  B  G  I’p  uses  an  intermediate  scheme  { Tp/ .  St.  Si,  ip'}  (with  the  polynomial 
ai{j))  to  distribute  subshares  §ij  G  S,  of  s,  to  each  shareholder  j  G  V  (Redist  step  1).  Each  j  then 
generates  the  new  share  s'-  (Eqn.  (^),  which  is  Redist  step  4).  We  may  redistribute  k  an  arbitrary  number 
of  times  before  we  reconstruct  it. 


Feldman ’s  Verifiable  Secret  Sharing  scheme: 

To  use  the  (m,  n)  threshold  scheme  {IV,  V,  S,  tp}  to  distribute  a  secret  k  £  1C: 

1.  For  each  i  £  V,  use  the  polynomial  a(i)  =  k  +  a\i  +  . . .  +  am-iim  l  to  compute  the  share  Si  =  a(i)  of  k,  and 
send  Si  to  i  over  a  private  channel. 

2.  For  each  i  £  V,  use  commitment  function  C(x)  to  generate  C(k),  C(ai), . . .  ,  C(am_i),  and  broadcast  them  to  all 
i. 

3.  For  each  i  £  V,  verify  that: 

m—1 

C(Si )  =  C(k)  J]  C(aif 

i=i 

If  the  condition  holds,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 


Figure  3:  Feldman’s  VSS  scheme  for  an  ( m,n )  threshold  scheme  [IFelHVIJ. 
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Verifiable  Secret  Redistribution  protocol: 

INITIAL:  To  use  the  (m,  n)  linear  threshold  scheme  {Vp,lC,  S,  ip}  to  distribute  a  secret  k  £  1C: 

1.  For  each  i  £  V,  use  the  polynomial  a(i )  =  k  +  a\i  +  . . .  +  to  compute  the  share  Si  of  k,  and  send  s,  to 

i  over  a  private  channel. 

2.  Use  commitment  function  C(x)  to  generate  C(k),  C(ai), . . .  ,C(am- 1),  and  send  them  to  all  i  £  V  over  the 
broadcast  channel. 

3.  For  each  i  £  V,  verify  that: 

m—  1 

C(Si)  =  C(k)  f]  C(ai)il 

i=i 

If  the  condition  holds,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  "abort”  message. 

4.  If  alii  £  V  agree  to  commit,  each  i  stores  Si  and  C(k).  Otherwise,  they  abort  the  protocol. 

REDIST:  To  redistribute  k  from  the  (m,  n)  scheme  {T-p,  1C,  S,  ip}  to  the  (m',  n ')  scheme  {Tp/ ,  1C,  S' ,  ip'}: 

1.  For  each  i  £  B  (B  £  IV),  use  the  polynomial  a[(j)  =  Si  +  a’nj  +  . . .  +  a'nm' _i)jm  _1  to  compute  the  subshares 
Sij  of  Si,  and  send  to  the  corresponding  j  £  V'  over  a  private  channel. 

2.  For  each  i  £  V,  use  the  commitment  function  C(x)  generate  C(si),  C(dn), . . .  ,  C(ai(m'_i)),  and  send  them  to  all 
j  £  V'  over  the  broadcast  channel. 

3.  For  each  j  £  V' ,  verify  that: 

m'  —  1 

Vi  £  B  :  C(sij)  =  C(si)  fj  C{aayl 

1  =  1 

and: 

c(k) = n  CM** 

i€B 

If  the  conditions  hold,  j  broadcasts  a  “commit”  message.  Otherwise,  j  broadcasts  an  “abort”  message. 

4.  If  all  j  £  V'  agree  to  commit,  each  j  generates  .s' : 

Sj  ^  '  tpjiSij 

ieB 

and  stores  s'  and  C(k).  Otherwise,  they  abort  the  protocol. 

Figure  4:  Verifiable  secret  redistribution  protocol  for  the  redistribution  of  shares  from  an  (to,  n)  to  (to',  n')  threshold 
scheme. 
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For  the  new  shareholders  to  verify  that  their  shares  of  the  secret  are  valid  after  redistribution,  we  require 
that  two  conditions,  SHARES- VALID  and  SUBSHARES-VALID,  hold.  Recall  that  for  linear  threshold  schemes, 
homomorphisms  tPi  are  multiplications  by  scalars  Aj.  When  all  i  6  B  (B  6  Tp)  redistribute  s,  to  each 
j  G  V,  all  Sj  are  valid  shares  of  k  if: 

SHARES-VALID: 

k  =  EieB 

SUBSHARES-VALID: 

Vz  eBJ'e  Tv,  :  Si  =  Y,jeB' 


We  define  a  NEW-SHARES-VALID  condition.  The  condition  holds  if  new  shareholders  have  valid  shares 
of  the  secret.  We  prove  in  Sec.  g3|  that  NEW-SHARES-VALID  holds  if  SHARES-VALID  and  SUBSHARES- 
VALID  hold.  The  definition  of  NEW-SHARES-VALID  follows  from  Eqn.  (Q)  for  {T-p/,  /C,  S' ,  ip'}: 

NEW-SHARES-VALID: 

k  =  ZjeB'  VA 

We  use  Feldman’s  VSS  scheme  to  verify  that  SUBSHARES-VALID  holds  in  our  protocol.  The  distribution 
of  Sij  from  Sj  (Redist  step  1)  is  an  application  of  the  scheme  { Tp/ .  S,.  Si ,  ip' } .  Thus,  each  i  €  B  broadcasts 
C(si)  and  C(an) . . .  C'(aj(m_1)),  which  each  j  uses  to  verify  the  validity  of  (Redist  step  2). 

The  key  insight  embodied  in  our  VSR  protocol  is  that  the  naive  extension  of  Desmedt  and  Jajodia’s 
protocol  with  Feldman’s  scheme  does  not  in  itself  allow  the  new  shareholders  to  verify  that  NEW-SHARES- 
VALID  holds.  The  difficulty  arises  because  Feldman’s  scheme  only  verifies  that  SUBSHARES-VALID  holds, 
which  in  the  absence  of  SHARES-VALID  is  insufficient  to  verify  that  NEW-SHARES-VALID  holds.  Although 
Desmedt  and  Jajodia  observe  that  the  linear  properties  of  then-  protocol  and  the  properties  of  C(x)  ensure 
that  each  j  generates  valid  shares  | ID.  1071 1.  they  implicitly  assume  that  each  i  <E  B  distributes  subshares  of 
valid  Sj.  The  VSS  scheme  simply  allows  i  e  B  shareholder  to  prove  that  it  distributed  valid  sl3  of  some 
value.  However,  i  may  have  distributed  “subshares”  of  some  random  value  instead  of  sl3  of  Sj.  Thus,  we 
require  a  sub-protocol  for  i  to  prove  that  it  distributed  of  Sj  to  j  e  V' . 

To  allow  the  new  shareholders  to  verify  that  SHARES-VALID  holds,  which  together  with  SUBSHARES- 
VALID  verifies  that  NEW-SHARES-VALID  holds,  the  old  shareholders  in  our  protocol  broadcast  a  commit¬ 
ment  to  the  secret.  %  E  B  must  therefore  store  C(k )  (received  during  Initial)  and  later  broadcast  it  to 
j  G  V' .  Recall  that  each  j  receives  Sj  from  each  i  to  verify  that  SUBSHARES-VALID  holds.  Once  each  j 
receives  C(k),  it  verifies  that  st  is  a  valid  share  of  k  with  the  following  equation: 


C(k)  =  n  C(si)^  (9) 

ieB 

Eqn.  (Q)  follows  from  Eqn.  (Q)  and  the  homomorphic  properties  of  C(x)  in  Eqn.  (|3|).  Since  C(x)  is  hard  to 
invert,  no  j  can  learn  k  from  the  broadcast  of  C(k). 

4.1  Assumptions  about  faulty  shareholders 

When  we  redistribute  a  secret  from  the  scheme  {Tp,  1C,  S,  ijj}  to  the  scheme  {T-p/,  KP,  S',  ip'}  with  our  VSR 
protocol,  we  assume  that  at  least  m  of  the  n  shareholders  in  V  and  all  n'  of  the  shareholders  in  V'  are  non- 
faulty,  and  up  to  n  —  m  of  the  remaining  shareholders  in  V  may  be  faulty.  We  denote  faulty  shareholders, 
and  the  values  they  distribute,  with  over-bars.  A  non-faulty  shareholder  i  G  V  distributes  valid  subshares 
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Sij  of  its  share  st  to  all  shareholders  j  G  V  and  broadcasts  C(k)  corresponding  to  secret  k  G  1C.  A  faulty 
shareholder  may  distribute  invalid  subshares  sj-  or  broadcast  C(k)  not  corresponding  to  k. 

We  also  assume  that  we  do  not  know  which  m  of  the  n  shareholders  in  V  are  non-faulty.  Suppose  we 
include  a  faulty  shareholder  i  in  our  selection  of  authorized  subset  B  G  Tp  to  participate  in  redistribution 
(Redist  in  Fig.  H).  Flowever,  if  i  distributes  s--,  one  of  the  j  will  detect  the  presence  of  i  since  one 
of  Eqns.  (||)  or  (|j)  will  not  hold.  Alternatively,  if  i  broadcasts  C[k),  all  j  will  detect  the  discrepancy 
when  non-faulty  old  shareholders  broadcast  C(k).  Thus,  i  must  participate  in  the  protocol  without  fault 
or  risk  detection.  If  we  detect  the  presence  of  i,  we  must  restart  redistribution  with  another  set  of  m  old 
shareholders.  Unfortunately,  we  cannot  identify  i  with  our  protocol. 

The  assumption  that  we  do  not  know  which  m  shareholders  in  V  are  non-faulty  bounds  the  relative 
values  of  m  and  n.  We  assume  that  we  can  detect  discrepancies  between  C(k)  and  C(k)  broadcast  by 
faulty  and  non-faulty  shareholders  in  V  respectively.  However,  if  we  were  to  select  a  group  of  m  faulty 
shareholders  i  inadvertently,  then  we  would  be  unable  to  detect  discrepancies  if  all  i  broadcast  C(k).  We 
therefore  require  that  m  >  ^  so  each  B  contains  at  least  one  non-faulty  shareholder;  if  m  <  " ,  n  —  rn  faulty 
shareholders  in  V  could  conspire  to  reconstruct  k  or  deceive  shareholders  in  V' . 

The  requirement  that  all  n'  shareholders  in  V  are  non-faulty  is  reasonable  if  we  view  the  purpose  of 
our  VSR  protocol  as  one  of  detecting  faulty  behavior  by  shareholders  in  V.  This  is  analogous  to  one  of  the 
assumptions  underlying  Feldman’s  VSS  scheme  [IFelS7IJ.  in  which  the  shareholders  are  implicitly  trusted  to 
store  valid  shares  (and  reject  invalid  shares)  of  a  secret. 

4.2  Computational  cost 

The  computational  cost  for  each  new  shareholder  of  verification  in  our  VSR  protocol  (Redist  Step  3  in 
Fig.  |])  is  O (mm')  multiplications  and  O (mm')  exponentiations,  exclusive  of  the  cost  of  the  commitment 
function  C(x).  Consider  redistribution  from  the  scheme  { Up .  /C,  S,  ip}  to  the  scheme  {Up/.  1C,  S1 ,  ip'}. 
Each  new  shareholder  j  G  V'  performs  m  —  1  multiplications  (B  G  Fp;  \B\  =  rn)  and  m  exponentiations 
to  verify  that  SHARES -VALID  holds  (Eqn.  (|9|)),  for  a  total  cost  of  O(m);  we  do  not  include  the  (small)  cost 
of  computing  the  powers  of  i.  Each  j  also  performs  rn'  —  1  multiplications  ( B 1  G  Tp/;  \B'\  =  rn')  and 
m!  —  1  exponentiations  for  rn  old  shareholders  i  G  B  to  verify  that  SUBSHARES-VALID  holds  (Eqn.  (§)), 
for  a  total  cost  of  0{mm').  Thus,  the  total  cost  for  each  j  to  verify  that  both  conditions  hold  is  0(mm') 
multiplications  and  O(mm')  exponentiations,  exclusive  of  the  cost  of  C (:/;). 

4.3  Correctness 

We  prove  that  NEW-SHARES-VALID  holds  after  share  redistribution  if  SHARES-VALID  and  SUBSHARES- 
VALID  hold.  We  also  show  that  Eqns.  (g)  and  (@)  verify  that  SUBSHARES-VALID  and  SHARES-VALID  hold. 

Lemma  1  SUBSHARES-VALID  holds  if  Eqn.  (@)  holds. 

PROOF:  Proved  by  Feldman  [IFelX7l].  □ 

Lemma  2  SHARES-VALID  holds  if  Eqn.  (@)  holds. 

PROOF:  Assume  that  Eqn.  (g)  holds.  It  then  follows  that  SHARES-VALID  holds  from  Eqn.  (0)  and  the 
homomorphic  properties  of  the  commitment  function  Cix).  □ 

Theorem  1  (VSR  theorem)  For  the  ( m ,  n)  linear  threshold  scheme  {Tp,  /C,  S,  ip}  and  the  ( m 1 ,  n ')  scheme 
{Tp/,  1C,  S',  ip1},  for  all  secrets  k  G  /C,  and  for  all  authorized  subsets  B  G  Tp,  B'  G  Tp/,  NEW-SHARES- 
VALID  holds  after  redistribution  of  k  with  the  VSR  protocol  if  SHARES-VALID  and  SUBSHARES-VALID 
hold. 


Proof:  Assume  that  both  shares-valid  and  subshares-valid  hold.  Then: 


k  =  '^2'l/jiSi  (SHARES-VALID) 
i&B 


E*  E  IpijSij  (SUBSHARES-VALID) 

i&B  \j£B'  ) 

ipi^ijSij  (il’i  is  a  homomorphism) 

teB  jeB' 

y]  (pseudo-commutativity  of  homomorphisms  (Eqn.  ([7|))) 

i&B  j£B' 


yG/C:x  +  y  =  y  +  x) 


j&B'  i£B 


^2  22  (Ecin-  ®) 


J6B' 


□ 


Our  correctness  proof  mirrors  that  for  Desmedt  and  Jajodia’s  secret  redistribution  protocol  | II). 19711. 

5  Specialization  of  the  VSR  protocol  for  Shamir’s  sharing  scheme 

We  present  the  specialization  of  our  VSR  protocol  for  Shamir's  sharing  scheme  [ISha79l].  We  first  summarize 


Shamir’s  scheme,  and  then  specialize  our  protocol  for  Shamir’s  scheme.  We  present  the  specialization  to 
demonstrate  the  practical  application  of  our  VSR  protocol,  and  to  emphasize  the  need  for  new  shareholders 


to  obtain  the  commitment  to  the  secret  for  verification  of  their  shares. 

5.1  Shamir’s  sharing  scheme 

Shamir  presents  an  ( m,n )  sharing  scheme  based  on  polynomial  interpolation  [ISha79l].  The  secret  k  is  in 
Z p  (p  prime;  p  >  n),  and  each  shareholder  i  is  in  the  set  V  (\V\  =  n).  All  mathematical  operations  are  in 
the  finite  field  Zp.  To  distribute  k,  we  select  a  polynomial  u[i)  with  degree  m  —  1  and  constant  term  /,:,  and 
generate  a  share  Sj  for  each  i  in  V  with  a(i): 


(10) 


where  .s,  G  Zp.  To  reconstruct  k,  we  recover  m  coordinate  pairs  (i.  Sj)  of  all  i  G  B,  (where  \B\  =  m  and 
B  g  r£),  and  use  the  pairs  in  the  Lagrange  interpolation  formula: 


(11) 


We  represent  Shamir’s  scheme  with  the  tuple  { Lp ,  Zp,  {Zp},  Vs},  where  V?  =  b1;  and  Ly  G  V  ■ 
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5.2  The  VSR  protocol  for  Shamir’s  scheme 


We  present  our  VSR  protocol  for  secrets  distributed  with  Shamir’s  sharing  scheme  [IShaVOI].  We  represent  the 
(m,  n)  scheme  with  {Tp,  Zp,  {Zp},  i/js},  and  the  (m' ,  n ')  scheme  with  {Tp,,  Zp,  {Zp},  x/j  s}.  We  assume 
that  the  computation  of  discrete  logs  in  a  finite  field  is  intractable.  As  for  the  general  VSR  protocol,  we 
assume  there  exist  reliable  broadcast  communication  channels  among  all  participants  and  private  channels 
between  every  pair-  of  participants.  We  assume  that  there  are  at  most  n  —  m  faulty  old  shareholders,  that 
m>\,  and  that  there  arc  n'  non-faulty  new  shareholders.  We  summarize  the  protocol  in  Fig.  ^]. 

Redistribution  of  the  secret  (Redist  in  Fig.  0)  proceeds  as  follows.  Each  i  in  an  authorized  subset 
B  £  Tp  uses  an  intermediate  scheme  { Tp, ,  Zp,  { Zp } .  s}  (with  the  polynomial  a'(j))  to  distribute 
subshares  Sij  £  Zp  of  their  share  s*  of  secret  k  £  Zp  to  each  shareholder  j  £  V  s  (Redist  step  1). 
Each  j  then  generates  the  new  share  s'-  (Redist  step  4): 


s'j  =  Y,  bjSjj  (12) 

i£B 

To  allow  the  new  shareholders  to  verify  that  SHARES-VALID  and  SUBSHARES-VALID  hold,  the  old 
shareholders  use  the  commitment  function: 


C(x)  =  gx 


(13) 


where  g  is  a  generator  for  Zp: 


V6  £  {1, . . .  ,p  —  1}  3a  £  {1, . . .  ,p—  1}  :  ga  =  b  mod  p  (14) 

The  old  shareholders  i  £  B  (B  £  r|j)  broadcast  the  commitment  to  the  secret  gk,  shares  gSi,  and  coefficients 
of  the  polynomial  gan  . . .  ga^ V-D  (Redist  Step  2  in  Fig.  0).  The  new  shareholders  j  £  V'  then  verify  that 
(Redist  Step  3): 


m'-l 


g  13  =g 


Si 


n  (s<iy 


1=1 


(15) 


for  each  i  £  B,  and 


gk  =  H(gs^  where  lh  =  []  — — 

i&B  ^  1 ' 


(16) 


5.3  Discussion 

To  emphasize  the  shortcomings  in  the  naive  extension  of  Desmedt  and  Jajodia’s  redistribution  protocol 
[II ).lf)71|  by  Feldman’s  VSS  scheme  [IFelS7IJ.  we  present  an  alternative  verification  mechanism  for  secret 
redistribution  for  Shamir's  scheme  [ISha?0l]  that  still  requires  the  new  shareholders  to  obtain  the  commitment 
to  the  secret.  Consider  redistribution  of  a  secret  k  from  the  scheme  {F^,  Zp,  { Zp  } ,  V5  }to  the  scheme  { F:p, , 
Zp,  {Zp},  ifi  s}.  Suppose  we  knew  the  shares  s*  of  the  old  shareholders  i  £  B  (B  £  Tp)  and  the  coefficients 


10 


Verifiable  Secret  Redistribution  protocol  for  Shamir’s  sharing  scheme: 

INITIAL:  To  use  the  (m,  n)  scheme  (Tp,  Zp,  {Zp},  i/js}  to  distribute  a  secret  k  £  Zp: 

1.  For  each  i  £  V,  use  the  polynomial  a(i)  =  k  +  aii  +  . . .  +  am-iim  l  to  compute  the  shares  Si  of  k,  and  send  s, 
to  i  £  V  over  a  private  channel. 

2.  Use  g  to  generate  gk ,  gai  . . .  g°'m~1 ,  and  send  them  to  alii  £  V  over  the  broadcast  channel. 

3.  For  each  i  £  V,  verify  that: 

m  —  1 

9H  =  gk  n(3Q,)i! 

(=1 

If  the  condition  holds,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 

4.  If  alii  £  V  agree  to  commit,  each  i  stores  s,  and  gk.  Otherwise,  they  abort  the  protocol. 

REDIST:  To  redistribute  k  from  the  (m,  n )  scheme  {Tp,  Zp,  {Zpj,  tps}  to  the  (m' ,  n’)  scheme  {Fp/ ,  Zp,  {Zpj,  ip  s} 

1.  For  each  i  £  B  (B  £  Tp),  use  the  polynomial  a, (j )  =  Si  +  a'nj  +  . . .  +  _1  to  compute  the  subshares 

Sij  of  Si,  and  send  Sij  to  the  corresponding  j  £  V'  over  a  private  channel. 

2.  For  each  i  £  V,  use  g  to  generate  gSi ,  gail  . . .  ,  and  send  them  to  all  j  £  V'  over  the  broadcast  channel. 

3.  For  each  j  £  V' ,  verify  that: 

m  —  1 

Vi6B:S*«  =gSi  n  ( 9a'il)jl 
1=1 

and: 

gk  =  U(gSi)bi  where  bt  =  f]  7 

If  the  conditions  hold,  j  broadcasts  a  “commit”  message.  Otherwise,  j  broadcasts  an  “abort”  message. 

4.  If  all  j  £  V'  agree  to  commit,  each  j  generates  s'-: 

Sj  =  ^2  biSij 
ieB 

and  stores  s'j  and  gk .  Otherwise,  they  abort  the  protocol. 


Figure  5:  Verifiable  secret  redistribution  protocol  for  the  redistribution  of  shares  from  Shamir’s  (to,  n)  sharing 
scheme  [ISha VOIJ  to  Shamir’s  (m! ,  n')  scheme. 
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of  the  polynomial  di(j)  used  by  i  to  distribute  the  subshares  of  ,sy.  We  could  then  interpolate  the  to'  —  1 
degree  polynomial  that  a  central  dealer  could  have  used  to  distribute  shares  s'-  of  k  to  new  shareholders 
j  £  V'  directly: 


s 


/ 

3 


Y  ksij  (Eqn.  (§)) 

i£B 


yjbi^si  +  a'aj  +  . . .  +  (Redist  Step  1  in  Fig.  @) 

ieB 


ybiSi  +  ybia^j  +  ...  +  ybia'i{m,_l)jm'  1  (Eqn.  (0)) 

i&B  i£B  i£B 


+  X  bia i  +  ■  ■  ■  +  X  1)  3 


■m'-l 


(Eqn.  m 


\i&B 


\i&B 


(17) 


We  might  be  tempted  to  use  a  new  check  similar  to  that  in  Feldman’s  VSS  scheme  to  verify  the  validity 
of  the  shares  held  by  new  shareholders.  Suppose  each  i  G  B  broadcasts  the  same  information  as  they  did  in 
the  specialized  VSR  protocol  (Redist  Step  2  in  Fig.  |5|).  Each  j  6  V'  then  verifies  that  s'  is  a  valid  share  of 
k  with  the  following  equation: 


gS'j  =  gkg{T,ieBbiail)3  . 


(18) 


Eqn.  (|T~gD  follows  from  Eqn.  (|T7D  and  the  homomorphic  properties  of  exponentiation.  Since  finding  discrete 
logs  is  intractable,  no  j  can  learn  k  from  the  broadcast  of  gk. 

Even  though  the  new  check  in  Eqn.  (|T%|)  appears  similar  to  that  of  Feldman’s  VSS  scheme  in  Eqn.  (§]) 
(with  C(x)  =  gx),  it  is  subtly  different  from  our  use  of  Feldman’s  scheme  to  verify  that  SUBSHARES-VALID 
holds.  More  specifically,  in  our  use  of  Feldman’s  scheme  a  single  old  shareholder  i  £  B  proves  to  the  n' 
new  shareholders  j  £  V  that  it  distributed  valid  subshares.  In  the  new  check  suggested  by  Eqn.  (|T8|),  the 
m  shareholders  i  £  B  prove  that  they  distributed  valid  subshares  of  valid  shares  to  the  n'  new  shareholders 
j  £  V .  To  use  Feldman’s  scheme,  we  require  that  each  i  broadcast  only  the  commitments  to  the  shares 
gSi  and  coefficients  of  the  polynomial  if1 1  . . .  f/'11-"1'  ').  For  j  to  use  the  new  check,  we  require  that  each  i 
broadcast  in  addition  the  commitment  to  the  secret  gk  (as  required  in  our  VSR  protocol  in  Sec.  [|). 


6  Summary  and  future  work 

We  have  presented  a  protocol  to  verifiably  redistribute  shares  of  secrets  between  different  threshold  schemes. 
We  proved  that  new  shareholders  have  valid  shares  after  redistribution  if  SHARES-VALID  and  SUBSHARES- 
VALID  hold,  and  have  given  the  corresponding  verifications.  We  showed  that  our  protocol  guards  against 
faulty  behavior  by  up  to  n  —  m  of  the  old  shareholders  provided  that  m>  f-  In  our  presentation,  we 
assumed  that  there  exist  commitment  functions  that  are  hard  to  invert,  and  that  there  exist  reliable  broadcast 
communication  channels  among  all  participants  and  private  channels  between  every  pair  of  participants. 
The  primary  contribution  of  our  work  is  that  in  our  protocol,  new  shareholders  can  verify  the  validity  of 
their  shares  after  redistribution  between  different  threshold  schemes. 

As  part  of  our  future  work,  we  will  investigate  ways  to  identify  faulty  old  shareholders  during  redistribu¬ 
tion,  and  to  relax  the  bounds  on  the  number  of  non-faulty  new  shareholders.  We  are  currently  implementing 
our  protocol  as  part  of  the  Carnegie  Mellon  PASIS  survivable  storage  system  [WBP+01l.  WBS+00]  to  eval¬ 
uate  its  performance  costs. 
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